user rights assignment load and unload device drivers

Tim’s Tech Blurbs

Tim’s tech ramblings about Intune, Modern Management, Powershell and every thing else.

How to move Windows 10 User Rights Assignment to Endpoint Manager / Intune

Should you change the default user rights assignments in Windows 10? That’s the question. If you ask my college the AD expert, he will tell you to run away and don’t even think about changing the defaults. (He will back it up with some pretty funny stories as well about who someone did it and locked out a company and maybe even a ship)

If you ask the Security team, the answer is a yes. We should set them.

Let taks a look. We will start at my favourite site. The Windows 2004 security baseline. MS recommend quite a few setting to be applied. When we add another baseline from the Security team we end up with the table below.

First things first. Let’s check the CSP and see what we need to do. To note, you can user the nice name for the account. (i.e Administrators). But we have ever lanuguage under the sun. So we need a better way to define the accounts. Lets check the Well know SID Structures for what we need.

Lets start with the local administrator. When you check for the SID, be sure to look for the BUILTIN groups and not the domain Groups. Looking at the table the SID is S-1-5-32-544.

Now we check the local account and we get S-1-5-113.

So Lets set up a polcy. Lets open Endpoint Mananger.

Goto Devices -> Configuration Profiles. Select Add new.

Select “Windows 10 and Later” and Custom in the profile

Let’s enter in a Logical name. “Windows 10 User Rights Assignment” and select Save.

Lets Start with “Load and unload device drivers.” Select Add on the next Page. Enter in the name for the setting. I am preceding the name with URA (for User Rights Assignment). In the OMA-URI after in ./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers The Data Type should be string. Andter in the desired SID for the setting. In this case it will be *S-1-5-32-544. (Add the * in before to distinguish its a SID) Pres Save.

Done. What’s next. Lets go “Access Credential Manager as a trusted caller”. According the baseline no one should have access to this. But how do we define it so no one can access it. Well don’t press save with a blank field. It will fail (I learn the hard way)

Add a new one and add in the name URA – Access Credential Manager as a trusted caller. Then for the OMA-URI enter in ./Device/Vendor/MSFT/Policy/Config/UserRights/AccessCredentialManagerAsTrustedCaller. Select String again. In the data field I have set the value as </>. If you leave it black you get an error when saving it. Its really annoying if you have added 20 on and then relies they have all failed.

Repeat until you have added them all in. Select Next, and then assign them to your test group. Sync your device, and reboot.

You should also do the testing on a test machine. Just in case you lock your self out.

How can you check the User rings assignments have worked? Lets ask Mark. He usually know these things.

Lets download AccessChk from here. https://docs.microsoft.com/en-gb/sysinternals/downloads/accesschk . It allows you to check various permissions fo r files register etc. We will use it with the -a to give us the Windows account right. Lets check SeSystemtimePrivilege or Change the System time. According to the baseline, only Admin and Local services should have this right. Lets run accesschk.exe -a SeSystemtimePrivilege

Great the values are as we expect. What about the checking all the permissions. Let’s run accesschk.exe -a * to show all the permissions.

Now all the rights look good. So lets plan to roll it out and hope we don’t become a funny storey for my college

Published by Tim Wood

Privacy overview.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Device manager access for non admins

Windows 7, 64bit.

Is it possible to allow non admins access to edit the device manager?

Currently when logged in as a non admin and I try to access the device manager I see the following;

I have tried to make the changes in gredit.msc but they don't seem to make any difference.

local computer policy > computer configuration > windows settings > security settings > local policies > user rights assignment > Load and unload device drivers > add specific user/group

The only thing that works is by adding my non admin user into the admin user group, this works fine. I'd rather not do this though, I'd prefer to give them access to the device manager only .

Any advice is appreciated.

• group-policy
• device-manager
• administration

• Changing the local group policy will have zero effect if the machine is connected to a domain. Is that the case? I currently have access to the device manager, and I am logged into a domain controlled machine, as a normal user. So is it possible: YES –  Ramhound Feb 11, 2016 at 17:14
• It's connected to an AD domain yes. However I have full admin control over the PC –  jonboy Feb 11, 2016 at 17:15
• You are a local user. You being a local Administrator on the machine means nothing if you are a normal user on the domain itself. A group domain policy overrides a local group policy always. Relevant Microsoft Documentation –  Ramhound Feb 11, 2016 at 17:17
• So is there any way I can resolve my issue? –  jonboy Feb 12, 2016 at 9:06
• As a non-administrator domain user, no, request your role be changed to an administrator –  Ramhound Feb 12, 2016 at 18:03

Try this im Curious.

If it does not work let me know I dont have a non admin account at my work desk.

Open a Text file and save the code below as DeviceManger.bat

Run the .bat and press 1 and hit Enter .

• Thanks @NetworkKingPin - I'm very keen to try this! Can you tell me what this does? Before I mess up my PC completely lol –  jonboy Feb 12, 2016 at 9:23
• Basically it Pushes you to get admin privileges if you do not have them already. The code is safe i use it very often to elevate my batch scripts in my work place. First it tries to get admin access if denied it provides it temp Admin Access. And it wont kill your pc. –  NetworkKingPin Feb 12, 2016 at 9:24
• There is nothing in that script that would change the user group of a user –  Ramhound Feb 12, 2016 at 18:02

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows-7 group-policy device-manager administration gpedit ..

• The Overflow Blog
• What language should beginning programmers choose?
• Supporting the world’s most-used database engine through 2050
• Featured on Meta
• New Focus Styles & Updated Styling for Button Groups
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network
• Google Cloud will be Sponsoring Super User SE

Hot Network Questions

• How would a predator adapt to prey on sapient species?
• Parents' house repairs and siblings future inheritance
• Why does the BRK instruction set the B flag?
• "as" and the subject
• What professionals can I hire to help me investigate a structural problem?
• Can you work on Chol Ha'moed if you'll be fired otherwise?
• Is there such a thing as a "physical" fractal?
• How to disconnect stainless steel and threaded galvinized piping connection
• Why are Contour Integrals defined the way they are?
• What's the difference between objectivity and intersubjective agreement?
• Completely confused by に無断で
• Importing Specific Data from a Text File
• Employer asking to open a business bank account. Is this job a scam or legit?
• Enumerate all matches of a regex
• Is quantum gravity research implying that gravity is actually a force and not spacetime curvature according to GR?
• 74HC595 chip with 7 segment display constantly displays either all 1's or all 0's
• Why does the frequency sampling method for FIR filter design operate in this manner?
• TeX variables become local within list environments?
• Is putting a silly name on a diploma a bad idea?
• ES6 inner join equivalent
• Advantage of GLMs over transformation models
• Could a historic (1500- 1700 AD) bicycle stand rough terrain? If yes how?
• Continuous addition and multiplication on Euclidean space (dimension > 2) making it into a field?
• Why Is The Voltage and Current Not What I Calculated?

WinSecWiki  > Security Settings  > Local Policies  > User Rights  > User Rights In-Depth  > Load and unload device drivers

Load and unload device drivers

AKA: SeLoadDriverPrivilege, Load and unload device drivers

Default assignment: Administrators

This highly sensitive right allows you to load executable code into kernel mode where device drivers run. Code running in kernel mode is fully trusted and not subject to normal Windows security restrictions. This right would allow malicious code to be installed into the systems Trusted Computing Base. For XP and Windows Server 2003 documentation is conflicting on whether this right is required to install drivers for plug and play devices. XP says it is required for PnP; 2003 says it does not apply to PnP. MS KB 219435 indicates you do not need this right as long as the PnP device “is supported hardware with a Plug and Play device ID to driver match.”

You may be able to install device drivers if you have this right but unless you are an administrator the change will not be persistent; you will have to reinstall the driver each time you connect the device.

Back to top

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Task manager requiring elevation for regular users in Windows 10

Run into a little bit of a snag with Windows 10, and it's a fairly well known one - the problem is that I'm struggling to find a Windows 10 compatible fix that actually works!

It's the old "regular users have to input their password to load task manager" chestnut again. How, exactly, do I work around this? Seeing as that inputting any valid credentials in gives you access to the task manager, I don't see why this is needed. I've mucked around with the UAC GPOs to try and get it to work, but that hasn't helped. I've also tried to start task manager with Windows, which in itself would be ideal as I can do that without elevation - but I can't see how to start it minimized, as everything I've seen simply doesn't take effect.

Any solutions would be much appreciated. As to why our users need task manager; well, Microsoft Office likes to tie itself in knots every now and again. It's much better for everyone's productivity to be able to actually kill the rogue tasks themselves!

• task-manager

• Can you be more specific? I can log onto Windows 10 with a standard (non admin user) and Task Manager opens just fine (?). –  Bill_Stewart Feb 27, 2017 at 21:31
• I know, that's what it should be doing. But for whatever reason, probably an old GPO somewhere, we don't get that - it prompts for a password if you're not an admin! –  Luke Milum Mar 1, 2017 at 8:38
• What password does it prompt for? Is it a UAC prompt? (Please be more specific.) –  Bill_Stewart Mar 3, 2017 at 19:36
• It is a UAC prompt, yes. It asks for admin details, but in fact it is actually just fine with any user, as long as the details are correct. Interestingly enough, I've only observed this behaviour on our Windows 10 Anniversary edition computers - the one remaining on version 1511 (which has a broken taskbar... still) worked just fine, even with the same GPOs! –  Luke Milum Mar 6, 2017 at 10:49
• Build a brand new Windows 10 machine, do not join it to a domain, and update it fully. Do you see the behavior? If not, then you know the behavior is likely caused by one of the GPO settings. –  Bill_Stewart Mar 6, 2017 at 17:44

3 Answers 3

Run this, and logoff/on

If you have Admin rights and run this then some commands [e.g. gpedit.msc] will no longer auto-elevate and you will need to "Run as Administrator"

• Didn't work on W10_1803 –  CMy Jul 30, 2018 at 14:58

Finally I have found the solution to this. Props go to a reddit post .

The issue is with the group policy "load and unload device drivers". Computer configuration -> Policies -> windows settings -> security settings -> local policies -> user rights assignment -> load and unload device drivers.

if this is set to a group the limited user is a member of (everyone, domain users, etc) then the prompt is displayed. if you set it instead to Administrators, the prompt is suppressed and everything works fine. I am not sure the ramifications of changing this value as it has been set for us since time immemorial. Seems to have to do with accepting unsigned device drivers. If everything suddenly stops working then i will have to set it back, but the setting goes all the way back to win2k so it may no longer be relevant (except to F up my shiz)...

I've had this problem for past 4 months. I used to be a domain admin and removed that from my daily account. It was driving me mad getting UAC prompted for basic tasks like you mentioned. I finally took a deeper look at my group memberships. The key for me was looking at indirect (nested) memberships (I used Adaxes to do so, not sure best way to do so using standard AD tools). My account was a member of Group Policy Creator Owners. After removing that, doing gpupdate and finally a reboot I was able to launch stuff like Event Viewer, Task Manager, etc without the UAC prompt!!

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows-10 uac task-manager ..

• The Overflow Blog
• What language should beginning programmers choose?
• Supporting the world’s most-used database engine through 2050
• Featured on Meta
• New Focus Styles & Updated Styling for Button Groups
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network

Hot Network Questions

• Did Tolkien invent Bilbo saving the Dwarves but forgetting about himself?
• Is it a cartesian product?
• how to handle ssh certificate based authentication from one region to another with certificate validity time?
• What is this 9-in-line latching connector?
• Meaning of "ushel" in Willa Cather's short story "The Sculptor's Funeral"
• How to disconnect stainless steel and threaded galvinized piping connection
• Could a historic (1500- 1700 AD) bicycle stand rough terrain? If yes how?
• Interpret PlusOrMinus
• Why Is The Voltage and Current Not What I Calculated?
• d orbitals PDOS analysis
• 74HC595 chip with 7 segment display constantly displays either all 1's or all 0's
• If a secondary target of the Chain Lightning spell casts Hellish Rebuke as a reaction, who does it target?
• Do "tinker" and "tinkerer" imply "unskillful"?
• Can you work on Chol Ha'moed if you'll be fired otherwise?
• Why does this "hot chassis" TV have the inputs isolated by an active circuit instead of just a capacitor?
• Why is the aperture door of the Hubble Space Telescope so weirdly shaped?
• Book where the female main character cuts off her boyfriend mid-sentence to prove her point about the perceptions created by one's choice of words
• How to make a sign language that only uses three fingers
• Is Batman's utility belt ever missing something he needs?
• Why would two different sized bikes not arrive at the same time starting from rest on the same slope?
• How can I get the translucent material right for the product?
• Parents' house repairs and siblings future inheritance
• Entanglement-based attack on E91 protocol
• Taking a scene from a video I made

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Load and unload device drivers

Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for this policy setting.

This policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the Driver.cab file on the computer. Device drivers run as highly privileged code.

Windows supports the Plug and Play specifications that define how a computer can detect and configure newly added hardware, and then automatically install the device driver. Prior to Plug and Play, users needed to manually configure devices before attaching them to the computer. This model allows a user to plug in the hardware, then Windows searches for an appropriate device driver package and automatically configures it to work without interfering with other devices.

Because device driver software runs as if it is a part of the operating system with unrestricted access to the entire computer, it is critical that only known and authorized device drivers be permitted.

This policy setting is supported on versions of Windows that are designated in the Applies To list at the beginning of this topic.

Constant: SeLoadDriverPrivilege

Possible values

User-defined list of accounts

Default values

Not Defined

Best practices

• Because of the potential security risk, do not assign this user right to any user, group, or process that you do not want to take over the system.

GPO_name \Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

By default this setting is Administrators and Print Operators on domain controllers and Administrators on stand-alone servers.

The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.

Operating system version differences

There are no differences in the way this policy setting works between the supported versions of Windows that are designated in the Applies To list at the beginning of this topic.

Policy management

This section describes features, tools, and guidance to help you manage this policy.

A restart of the computer is not required for this policy setting to be effective.

Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

Group Policy

Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:

Local policy settings

Site policy settings

Domain policy settings

OU policy settings

When a local setting is greyed out, it indicates that a GPO currently controls that setting.

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Vulnerability

Device drivers run as highly privileged code. A user who has the Load and unload device drivers user right could unintentionally install malicious software that masquerades as a device driver. Administrators should exercise care and install only drivers with verified digital signatures.

You must have this user right or be a member of the local Administrators group to install a new driver for a local printer or to manage a local printer and configure defaults for options such as duplex printing.

Countermeasure

Do not assign the Load and unload device drivers user right to any user or group other than Administrators on member servers. On domain controllers, do not assign this user right to any user or group other than Domain Admins.

Potential impact

If you remove the Load and unload device drivers user right from the Print Operators group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected.

User Rights Assignment

Additional resources

User Rights and Privileges

User rights grant specific privileges and logon rights to users and groups in your computing environment. Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as logging on to a system interactively or backing up files and directories.

To ease the task of user account administration, you should assign privileges primarily to group accounts, rather than to individual user accounts. When you assign privileges to a group account, users are automatically assigned those privileges when they become a member of that group. This method of administering privileges is far easier than assigning individual privileges to each user account when the account is created.

The following table lists and describes the privileges that can be granted to a user.

Some privileges can override permissions set on an object. For example, a user logged on to a domain account as a member of the Backup Operators group has the right to perform backup operations for all domain servers. However, this requires the ability to read all files on those servers, even files on which their owners have set permissions that explicitly deny access to all users, including members of the Backup Operators group. A user right—in this case, the right to perform a backup—takes precedence over all file and directory permissions. For more information, see Backup and Recovery (https://go.microsoft.com/fwlink/?LinkID=131606).

Table Of Contents

• Access Control Overview
• Checklist: Setting Access Controls on Objects
• What Are Permissions?
• File and Folder Permissions
• Share and NTFS Permissions on a File Server
• Inherited Permissions
• How Effective Permissions Are Determined
• Determine Where to Apply Permissions
• Set, View, Change, or Remove Permissions on Files and Folders
• View Effective Permissions on Files and Folders
• Set, View, Change, or Remove Special Permissions
• Set Permissions on a Shared Resource
• Take Ownership of a File or Folder
• Audit Policies
• Define or Modify Auditing Policy Settings for an Event Category
• Apply or Modify Auditing Policy Settings for a Local File or Folder
• View the Security Log
• Understanding User Account Control
• Resources for Access Control
• Security Settings Property Page
• Select Users, Computers, or Groups Dialog Box
• Object Types Dialog Box
• Select Users, Computers, or Groups Dialog Box - Advanced Page
• Permission Entry Dialog Box
• Advanced Security Settings Properties Page - Auditing Tab
• Advanced Security Settings Properties Page - Owner Tab
• Advanced Security Settings Properties Page - Permissions Tab
• Auditing Entry Dialog Box

Windows security encyclopedia

#microsoft #windows #security

Search form

Load and unload device drivers.

This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users.

Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.

Policy path: 

Comments: , default: , supported on: , registry settings: , reboot required: , related content.

• Associations
• Content Provider
• Recorded Webinars

Configure the "Load and unload device drivers" User Right.

Supporting and supported controls.

• Configure User Rights., CC ID: 07034

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

• This setting allows users to load new device drivers onto the system. The Load And Unload Device Drivers setting should be set to the Administrators group. (Pg 25, Pg 26, Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings)
• Description: This control defines whether a user account is allowed to dynamically load a new device driver on the system. Rationale: Drivers operate at a very high privilege level. Restricting which principals can load device drivers will help reduce a malicious user's ability to negatively impac… (1.8.17, The Center for Internet Security Microsoft Windows 7 - Enterprise-Desktop Benchmark, 1.1.0)
• Description: This control defines whether a user account is allowed to dynamically load a new device driver on the system. Rationale: Drivers operate at a very high privilege level. Restricting which principals can load device drivers will help reduce a malicious user's ability to negatively impac… (1.8.17, The Center for Internet Security Microsoft Windows 7 - Enterprise-Laptop Benchmark, 1.1.0)
• Description: This control defines whether a user account is allowed to dynamically load a new device driver on the system. Rationale: Drivers operate at a very high privilege level. Restricting which principals can load device drivers will help reduce a malicious user's ability to negatively impac… (1.8.17, The Center for Internet Security Microsoft Windows 7 - SSLF-Desktop Benchmark, 1.1.0)
• Description: This control defines whether a user account is allowed to dynamically load a new device driver on the system. Rationale: Drivers operate at a very high privilege level. Restricting which principals can load device drivers will help reduce a malicious user's ability to negatively impac… (1.8.17, The Center for Internet Security Microsoft Windows 7 - SSLF-Laptop Benchmark, 1.1.0)
• This privilege should be set to Administrators. Device drivers are highly privileged processes and can be a source of Trojan Horses so only Administrators should have this right. (§ 4.2.20, The Center for Internet Security Windows 2000 Professional Benchmark, 2.2.1)
• Set this privilege for Administrators only. Device drivers are highly privileged applications and can be the source of Trojan Horses. They should be restricted where possible. (§ 4.2.20, The Center for Internet Security Windows 2000 Server Benchmark, 2.2.1)
• The user rights for this function should be set to the following: Domain Controllers: Administrators; Standalone/Member Server: Administrators; Professional: Administrators. (Pg 30, The Center for Internet Security Windows NT Benchmark, 1.0.5)
• The organization must restrict loading and unload device drivers. These drivers can be the source of "Trojan Horse" applications, and should be restricted where possible. This setting actually applies to the installation of Plug and Play device drivers. (§ 4.2.22, The Center for Internet Security Windows XP Professional SP1/SP2 Benchmark, 2.01)
• The user rights for Domain Controllers should be set to Administrators. The user rights for Member Servers should be set to Administrators. (§ 5.3.7.1, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
• The "Load and unload device drivers" user right should be granted to Administrators. (§ 3.5.6 (4.010), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
• The "Load and unload device drivers" user right should be granted to Administrators. (§ 5.3.6.1, DISA Windows XP Security Checklist, Version 6 Release 1.11)
• The "load and unload device drivers" user right should be assigned to the correct accounts. Technical Mechanisms: (1) defined the SeLoadDriverPrivilege setting in by Local or Group Policy Parameters: (1) set of accounts References: CCE-860 4.2.20 Load and unload device drivers: Administ… (CCE-3798-6, Common Configuration Enumeration List, Combined XML: Windows 2000, 5.20130214)
• The "load and unload device drivers" user right should be assigned to the correct accounts. Technical Mechanisms: (1) defined the SeLoadDriverPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ Paramete… (CCE-3293-8, Common Configuration Enumeration List, Combined XML: Windows Server 2003, 5.20130214)
• The user right of loading and unloading device drivers should be set to Administrators. (§ 6.2.2, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1)
• This setting lets users load device drivers on the system. Attackers could install malicious code if they have this right. In order to install a printer driver in Windows XP, users must have this right and be a member of either the Administrators or Power Users group. The Load And Unload Device Driv… (Pg 39, NSA Guide to Security Microsoft Windows XP)

• NIST 800-53
• Common Controls Hub

The Load and unload device drivers user right must only be assigned to the Administrators group.